Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure Setup Wizard

You are here: Device Administration > Reset Configuration.

Using the Setup wizard, you can perform step-by-step configuration of a services gateway that can securely pass traffic.

Note:

You can also configure the setup modes in the factory default settings. Connect your management device (laptop or PC) to the SRX Series Firewall in factory default settings, the J-Web Setup wizard will appear. For more information on the Setup wizard in the factory default settings, see Start J-Web.

You can choose one of the following setup modes to configure the services gateway:

Note:

Click Cancel to exit the mode selection window.

  • Standalone mode—Configure your SRX Series device to operate in a standalone mode. In this mode, you can configure basic settings such as device credentials, time, management interface, zones and interfaces, and DNS servers and default gateways.

  • Cluster (HA) mode—Configure your SRX Series device to operate in a cluster (HA) mode. In the cluster mode, a pair of devices are connected together and configured to operate like a single node, providing device, interface, and service level redundancy.

    Note:

    You cannot configure Standalone or Passive mode when your device is in the HA mode.

  • Passive (Tap) mode—Configure your SRX Series device to operate in a TAP mode. TAP mode allows you to passively monitor traffic flows across a network. If IPS is enabled, then the TAP mode inspects the incoming and outgoing traffic to detect the number of threats.

    Note:

    SRX5000 line of devices, SRX4600, and vSRX devices does not support the passive mode configuration.

To help guide you through the process, the wizard:

  • Determines which configuration tasks to present to you based on your selections.

  • Flags any missing required configuration when you attempt to leave a page.

To configure SRX Series Firewalls using the J-Web Setup wizard:

  1. Click Reset.
  2. Click Proceed to Launch to launch the Setup Wizard.
    Note:

    For the Standalone and the Passive (Tap) modes, launching the Setup wizard resets the device to the factory default configuration after saving a backup of the current committed configuration to the local file system. If you click Cancel during the setup, the device rolls back to its previous committed state.

  3. Select the mode you want to setup and click Start.
  4. For the Standalone mode and Passive (Tap) mode, complete the configuration according to the guidelines provided in Table 1 through Table 3.
    Note:
    • If you select Cluster (HA) Mode, for the configuration information see Configure Cluster (HA) Setup.

    • In the Setup wizard, root password is mandatory, and all the other options are optional. In the passive mode, management interface, Tap interface, and services are mandatory.

  5. Click Finish.

    A successful message appears, and the device configuration mode of your choice is set up.

    Note:
    • Once the configuration is complete, the entire configuration is committed to the device and a successful message appears. If the commit fails, the CLI displays an error message and you remain at the wizard’s last page. If required, you can change the configuration until the commit is successful.

    • For SRX300 line of devices and SRX550M devices, an additional message will be displayed about the device reboot if you have enabled Juniper ATP Cloud or Security Intelligence services. For other SRX Series Firewalls, the device will not reboot.

Table 1: Setup Wizard Configuration

Field

Action

Device Credentials
System Identity

Device name

Enter a hostname.

You can use alphanumeric characters, special characters such as the underscore (_), the hyphen (-), or the period (.); the maximum length is 255 characters.

Root Account

Username

Displays the root user.

Note:

We recommend that you do not use root user account as a best practice to manage your devices.

Password

Enter a password.

You can use alphanumeric characters and special characters; the minimum length is six characters.

SSH for root user

Enable this option to allow the root login (to the device) using SSH.

Admin Account

Username

Enter the admin username to manage the device.

Password

Enter the admin password.

Time
Time

Time zone

Select a time zone from the list.

Time source

Select either NTP server, computer time, or Manual to configure the system time:

  • NTP Server > NTP servers—Select the NTP server in the Available column and move to the selected column using the right arrow. Once the system is connected to the network, the system time is synced with the NTP server time.

    In addition, to add a new NTP server, click + and enter a hostname or IP address of the NTP server and click OK.

    Note:

    If you want to add more NTP servers, go to Device Administration > Basic Settings > Date & Time Details through the J-Web menu.

  • Computer Time > Computer time—Device automatically synchronizes with your computer time only during the setup.

  • Manual > Date and time—Select the date and time (in MM-DD-YYYY and HH:MM:SS 24-hour format) to configure the system time manually.

Management Interface
Management Interface
Note:

If you change the management IP address and click Next, a warning message appears on the Management Interface page that you need to use the new management IP address to log in to J-Web because you may lose the connectivity to J-Web.

Management interface

Select an interface from the list.

If fxp0 port is your device’s management port, then the fxp0 port is displayed. You can change it as required or you can select None and proceed to the next page.

Note:
  • You can choose the revenue port as management port if your device does not support the fxp0 port. Revenue ports are all ports except fxp0 and em0.

  • If you are in the Standalone mode, you can choose None for the management interface and click Next to proceed to the next screen.

  • If you are in the Passive (Tap) mode, it is mandatory to configure a management port. J-Web needs a management port for viewing generated report.

IPv4
Note:

Click email to self to get the newly configured IPv4 or IPv6 address to your inbox. This is useful if you lose connectivity when you change the management IP address to another network.

Management address

Enter a valid IPv4 address for the management interface.

Note:

If fxp0 port is your device’s management port, then the fxp0 port’s default IP address is displayed. You can change it if required.

Management subnet mask

Enter a subnet mask for the IPv4 address.

If you have changed the management address, use the new IP address to access J-Web.

Static route

Enter an IPv4 address for the static route to route to the other network devices.

Static route subnet mask

Enter a subnet mask for the static route IPv4 address.

Next hop gateway

Enter a valid IPv4 address for the next hop.

IPv6

Management access

Enter a valid IPv6 address for the management interface.

Management subnet prefix

Enter a subnet prefix length for the IPv6 address.

Static route

Enter an IPv6 address for the static route if required to reach the device through the management interface.

Static route subnet prefix

Enter a subnet prefix length for the static route IPv6 address.

Next hop gateway

Enter a valid IPv6 address for the next hop.

Access Protocols
Note:

This option is available for all the ports except fxp0.

HTTPS

This option is enabled by default.

SSH

This option is enabled by default.

Ping

Enable this option for ping service.

DHCP

Enable this option for DHCP service.

NETCONF

Enable this option for NETCONF service.

Zones & Interfaces
Security Policy
Note:

This option is available only for the Standalone mode. For the Passive (Tap) mode, this option is available under Tap Settings.

From Zone

Name of the source zone. In the standalone mode, permits all traffic from the trust zone.

To Zone

Name of the destination zone. In standalone mode, permits all traffic from the trust zone to the untrust zone.

Source

Name of the source address (not the IP address) of a policy.

Destination

Name of the destination address.

Application

Name of a preconfigured or custom application of the policy match.

Action

Action taken when a match occurs as specified in the policy.

Zones

—Displays the available trust and untrust zones configuration.

Trust Zone Interfaces
Note:

This option is available only for the Standalone mode.

Add Trust Zone Interface

Click + to add trust zone interface. For more information on the fields, see Table 2.

Edit Trust Zone Interface

Select an interface and click the pencil icon at the right corner of the table to modify the configuration.

Delete Trust Zone Interface

Select an interface and click the delete icon at the top right corner of the table.

A confirmation window appears. Click Yes to delete the selected interface or click No to discard.

Search Trust Zone Interface

Click the search icon at the right corner of the table to quickly locate a zone or an interface.

Detailed View Trust Zone Interface

Hover over the interface name and click the Detailed View icon to view the zone and interface details.

Trust Zone Interfaces—Zone Level Settings

Zone name

View the trust zone name populated from your device factory default settings.

Note:

For standalone mode, trust and untrust zones are created by default even if these zones are not available in the factory default settings.

Description

Enter the description for trust zone.

System services

Enable this option for the types of traffic that can reach the device on a particular interface.

By default, this option is enabled. You can disable if required.

Protocols

Enable this option to configure the device to perform stateful network traffic filtering on network packets using network traffic protocols (for example, TCP and UDP).

By default, this option is enabled. You can disable if required.

Application tracking

Enable this option to collect byte, packet, and duration statistics for application flows in the specified zone.

Source identity log

Enable this option for the device to log the user identity information based on the source zone configured in the security policy.

Untrust Zone Interfaces

Add Untrust Zone Interface

Click + to add untrust zone interface. For more information on the fields, see Table 3.

Edit Untrust Zone Interface

Select an interface and click the pencil icon at the right corner of the table to modify the configuration.

Delete Untrust Zone Interface

Select an interface and click the delete icon at the top right corner of the table.

A confirmation window appears. Click Yes to delete the selected interface or click No to discard.

Search Untrust Zone Interface

Click the search icon at the right corner of the table to quickly locate a zone or an interface.

Detailed View Untrust Zone Interface

Hover over the interface name and click the Detailed View icon to view the zone and interface details.

Untrust Zone Interfaces—Zone Level Settings

Zone name

View the untrust zone name populated from your device factory default settings.

Note:

For standalone mode, trust and untrust zones are created by default even if these zones are not available in the factory default settings.

Description

Enter the description for untrust zone.

Application tracking

Enable this option to collect byte, packet, and duration statistics for application flows in the specified zone.

Source identity log

Enable this option for the device to log the user identity information based on the source zone configured in the security policy.

DNS Servers & Default Gateways
DNS Servers

DNS server 1

Enter the IPv4 or IPv6 address of the primary DNS.

DNS server 2

Enter the IPv4 or IPv6 address of the secondary DNS.

Default Gateway

Default gateway (IPv4)

Enter the IPv4 address of the next possible destination for any network.

Default gateway (IPv6)

Enter the IPv6 address of the next possible destination for any network.

Tap Settings
Note:

This option is available only for the Passive (Tap) mode.

Tap Settings

Tap interface

Select the interface from the list.

IP-IP tunnel inspection

Enable this option for the SRX Series device to inspect pass through traffic over an IP-IP tunnel.

GRE tunnel inspection

Enable this option for the SRX Series device to inspect pass through traffic over a GRE tunnel.

Security Policy & Advanced Services
Note:

Your device must have internet connectivity to use IPS, Web filtering, Juniper ATP Cloud, and Security threat intelligence services.

From Zone

Name of the source zone. In the Tap mode, permits all traffic from the tap zone.

To Zone

Name of the destination zone. In the Tap mode, permits all traffic from the TAP zone to the TAP zone.

Source

Name of the source address (not the IP address) of a policy.

Destination

Name of the destination address.

Application

Name of a preconfigured or custom application of the policy match.

Action

Action taken when a match occurs as specified in the policy.

UTM

UTM

Enable this option for configuring UTM services.

License

Enter UTM license key and click Install License to add a new license.

Note:
  • Use a blank line to separate multiple license keys.

  • To use UTM services, your device must have internet connectivity from a revenue interface.

UTM type

Select an option to configure UTM features:

  • Web Filtering

  • Antivirus

  • Antispam

Web filtering type

Select an option:

  • Enhanced—Specifies that the Juniper Enhanced Web filtering intercepts the HTTP and the HTTPS requests and sends the HTTP URL or the HTTPS source IP to the Websense ThreatSeeker Cloud (TSC).

  • Local—Specifies the local profile type.

IPS

IPS

Enable this option to install the IPS signatures.

License

Enter the license key and click Install License to add a new license.

Note:

The installation process may take few minutes.

IPS signature

Click Browse to navigate to the IPS signature package folder and select it. Click Install to install the selected IPS signature package.

Note:

You can download the IPS signature offline package at https://support.juniper.net/support/downloads/.

ATP Cloud

ATP Cloud

Enable this option to use Juniper ATP Cloud services.

Note:

After the Juniper ATP Cloud configuration is pushed, only the SRX300 line of devices and SRX550M devices are rebooted. Your device must have internet connectivity to enable Juniper ATP Cloud enrollment process through J-Web.

Security Intelligence

Security intelligence

Enable this option to use Security intelligence services.

Note:

After the Security Intelligence configuration is pushed, only the SRX300 line of devices and SRX550M devices are rebooted. Your device must have internet connectivity to enable Juniper ATP Cloud enrollment process through J-Web.

User Firewall

User Firewall

Enable this option to use user firewall services.

Domain name

Enter a domain name for Active Directory.

Domain controller

Enter domain controller IP address.

Username

Enter a username for administrator privilege.

Password

Enter a password for administrator privilege.

Table 2: Add Trust Zone

Field

Action

General

Type (family)

  • Select Switching. Fields for switching interface are:

    Note:

    This option will be available for only SRX300 line of devices, SRX550M, and SRX1500 devices. For SRX5000 line of devices, SRX4100, SRX4200, SRX4600, and vSRX devices, the Type (family) field is not available.

    • IRB interface Unit—Enter the IRB unit.

    • Description—Enter the description for the interface.

  • Select Routing. Fields for routing interface are:

    For SRX5000 line of devices, SRX4100, SRX4200, SRX4600, and vSRX devices, the Type (family) field is not available.

    • Interface—Select an option from list.

    • Interface unit—Enter the Inet unit.

      Note:

      VLAN tagging is enabled automatically if the interface unit is higher than zero.

    • Description—Enter the description for the interface.

    • VLAN ID—Enter the VLAN ID.

      Note:

      VLAN ID is mandatory if the interface unit is higher than zero.

Interfaces

Select an interface from the Available column and move it to the Selected column.

Note:

This option is available only for the Switching family type.

VLAN
Note:

This option is available only for the Switching family type.

Name

Enter a unique name for the VLAN.

VLAN ID

Enter the VLAN ID.

IPv4

IPv4 address

Enter a valid IPv4 address for the switching or the routing interface.

Subnet mask

Enter a subnet mask for the IPv4 address.

IPv6

IPv6 address

Enter a valid IPv6 address for the switching or the routing interface.

Subnet prefix

Enter a subnet prefix for the IPv6 address.

DHCP Local Server

DHCP local server

Enable this option to configure the switch to function as an extended DHCP local server.

Pool name

Enter the DHCP pool name.

Pool start address

Enter the starting IPv4 address of the DHCP server pool address range. This address must be within the IPv4 network.

Pool end address

Enter the ending IPv4 address of the DHCP server pool address range. This address must be within the IPv4 network.

Note:

This address must be greater than the address specified in Pool start address.

Propagate settings from

Select an option from the list. Propagation of TCP/IP settings (such as, DNS and gateway address) received on the device interface acting as DHCP client.

Services & Protocols

System Services

Select system services from the list in the Available column and then click the right arrow to move it to the Selected column.

The available options are:

  • all—Specify all system services.

  • any-service—Specify services on entire port range.

  • appqoe—Specify the APPQOE active probe service.

  • bootp—Specify the Bootp and dhcp relay agent service.

  • dhcp—Specify the Dynamic Host Configuration Protocol.

  • dhcpv6—Enable Dynamic Host Configuration Protocol for IPV6.

  • dns—Specify the DNS service.

  • finger—Specify the finger service.

  • ftp—Specify the FTP protocol.

  • http—Specify the Web management using HTTP.

  • https—Specify the Web management using HTTP secured by SSL.

  • ident-reset—Specify the send back TCP RST IDENT request for port 113.

  • ike—Specify the Internet key exchange.

  • lsping—Specify the Label Switched Path ping service.

  • netconf—Specify the NETCONF Service.

  • ntp—Specify the network time protocol.

  • ping—Specify the internet control message protocol.

  • r2cp—Enable Radio-Router Control Protocol.

  • reverse-ssh—Specify the reverse SSH Service.

  • reverse-telnet—Specify the reverse telnet Service.

  • rlogin—Specify the Rlogin service

  • rpm—Specify the Real-time performance monitoring.

  • rsh—Specify the Rsh service.

  • snmp—Specify the Simple Network Management Protocol.

  • snmp-trap—Specify the Simple Network Management Protocol trap.

  • ssh—Specify the SSH service.

  • tcp—encap-Specify the TCP encapsulation service.

  • telnet—Specify the Telnet service.

  • tftp—Specify the TFTP

  • traceroute—Specify the traceroute service.

  • webapi-clear-text—Specify the Webapi service using http.

  • webapi-ssl—Specify the Webapi service using HTTP secured by SSL.

  • xnm-clear-text—Specify the JUNOScript API for unencrypted traffic over TCP.

  • xnm-ssl—Specify the JUNOScript API Service over SSL.

Protocols

Select protocols from the list in the Available column and then click the right arrow to move it to the Selected column.

The available options are:

  • all—Specifies all protocol.

  • bfd—Bidirectional Forwarding Detection.

  • bgp—Border Gateway Protocol.

  • dvmrp—Distance Vector Multicast Routing Protocol.

  • igmp—Internet Group Management Protocol.

  • ldp—Label Distribution Protocol.

  • msdp—Multicast Source Discovery Protocol.

  • nhrp- Next Hop Resolution Protocol.

  • ospf—Open shortest path first.

  • ospf3—Open shortest path first version 3.

  • pgm—Pragmatic General Multicast.

  • pim—Protocol Independent Multicast.

  • rip—Routing Information Protocol.

  • ripng—Routing Information Protocol next generation.

  • router-discovery—Router Discovery.

  • rsvp—Resource Reservation Protocol.

  • sap—Session Announcement Protocol.

  • vrrp—Virtual Router Redundancy Protocol.

Table 3: Add Untrust Zone

Field

Action

General

Interface

Select an interface from the list.

Interface unit

Enter the interface unit value.

VLAN ID

Enter the VLAN ID.

Note:

VLAN ID is mandatory if the interface unit is higher than zero.

Description

Enter the description for the interface.

Address Mode

Select an address mode for the interface. The available options are DHCP Client, PPPoE (PAP), PPPoE (CHAP) and Static IP.

Note:

PPPoE (PAP) and PPPoE (CHAP) are not supported for SRX5000 line of devices and if any of the devices are in passive mode.

Username

Enter a username for PPPoE (PAP) or PPPoE (CHAP) authentication.

Password

Enter a password for PPPoE (PAP) or PPPoE (CHAP) authentication.

IPv4
Note:

This option is available only for the Static IP address mode.

IPv4 Address

Enter a valid IPv4 address for the interface.

Subnet Mask

Enter a subnet mask for the IPv4 address.

IPv6
Note:

This option is available only for the Static IP address mode.

IPv6 Address

Enter a valid IPv6 address for the interface.

Subnet Prefix

Enter a subnet prefix for the IPv6 address.

Services & Protocols

System Services

Select system services from the list in the Available column and then click the right arrow to move it to the Selected column.

Protocols

Select protocols from the list in the Available column and then click the right arrow to move it to the Selected column.